Phoenix.pm: So, what are the merits of -T on CGI scripts?
EdelSys Consulting
edelsys at edelsys.com
Thu Sep 2 18:44:54 CDT 1999
At 04:33 PM 09/02/1999 -0700, you wrote:
>
>\_ sub untaint
>\_
>\_ { my($taint)=@_;
>\_
>\_ my $untaint = $taint;
>\_
>\_ $untaint =~ s/\.\.//g;
>\_ $untaint =~ s/\+/ /g;
>\_ $untaint =~ s/\;//g;
>\_ $untaint =~ s/\&//g
>\_ $untaint =~ s/\|//g;
>\_ $untaint =~ s/\>//g;
>\_ $untaint =~ s/\<//g;
>\_ $untaint =~ s/\?//g;
>\_ $untaint =~ s/\*//g;
>\_ $untaint =~ s/\]//g;
>\_ $untaint =~ s/\[//g;
>\_ $untaint =~ s/\'//g;
>\_ $untaint =~ s/\"//g;
>\_ $untaint =~ s/\,//g;
>\_
>\_ $untaint =~ /^(.*)$/s;
>\_ $untaint = $1;
>\_
>\_ return($untaint); }
>\_
>\_ These two lines
>\_
>\_ $untaint =~ /^(.*)$/s;
>\_ $untaint = $1;
>\_
>\_ are what actually remove the taint flag from
>\_ the variable. The other lines are just removing
>\_ "questionable" characters (e.g. shell metacharacters)
>\_ from the variable.
>\_
>\_ Tony
>
>why not cast
>
>$untaint =~ s/\.\.|[]+;&|<>?*'",]//go;
>$untaint =~ /^(.*)$/s;
>$untaint = $1;
>
>and get them in one swell foop? (YMMV on actual syntax....)
>
>Well, other than clarity; but that's what comments are for. :-)
>
>David
>
Sure, you can do that if you want. =)
Tony
More information about the Phoenix-pm
mailing list